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Abstract 

Q 

Q^ ' This paper describes the security weakness of a recently proposed improved chaotic 

^ . encryption method based on the modulation of a signal generated by a chaotic 

system with an appropriately chosen scalar signal. The aim of the improvement is 
to avoid the breaking of chaotic encryption schemes by means of the return map 
attack introduced by Perez and Cerdeira. A method of attack based on taking the 
absolute value of the ciphertext is presented, that allows for the cancellation of the 
modulation scalar signal and the determination of some system parameters that play 



VO ' the role of system key. The proposed improved method is shown to be compromised 

^^ , without any knowledge of the chaotic system parameter values and even without 

f"^ ' knowing the transmitter structure. 
^' 
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1 Introduction 



The possibility of synchronization of two coupled chaotic systems was first 
shown by Pecora and Carrol [1,2,3]. The importance of this discovery was 
quickly appreciated [4,5], and soon this topic aroused great interest as a po- 
tential means for communications [6,7,8]. In recent years, a considerable effort 
has been devoted to extend the chaotic communication applications to the field 
of secure communications. Accordingly, a number of cryptosystems based on 



* Telephone: +34-915 618 806; Telefax: +34-914 117 651; Email: gonzalo@iec.csic.es 
Preprint submitted to Elsevier Science 8 February 2008 



chaos has been proposed [9,10,11,12,13]; some of them fundamentally flawed 
by a lack of robustness and security [14,15,16,17,18]. 

Perez and Cerdeira showed in [19] that it was possible to retrieve the data 
encrypted by chaos when a parameter of the sender is switched between two 
values. The data were recovered directly from the ciphertext signal, without 
using the authorized receiver and even without reconstructing the dynamics 
of the chaotic system, by means of the attractor of a return map. Later this 
method was further developed by Yang et al. in [20] . 

Recently Bu and Wang [21] proposed an improved chaotic encryption method. 
The aim of the improvement is to foil the return map attack to chaotic en- 
cryption schemes of [19,20]. The proposed approach is illustrated by means of 
a Lorenz system, described by the following equations: 

Xi = (t(x2 — Xi) 

X2 = rXi - X2- X1X3 (1) 

X3 = 0:1X2 - bxs 

being a, r and b the system internal parameters. 

In the literature, when digital encryption takes place, the signal s = xi{t) is 
commonly taken as the transmitted encrypted message. The authors of [21] 
propose as ciphertext the modulation signal s(x, t) = g{t)xi{t). 

The modulation signal g{t) should be an appropriately chosen scalar signal. 
For the Lorenz dynamical system they propose to choose g{t) as the prod- 
uct of a sinusoidal factor times a variable of the chaotic system: g{t) = 
Acos{ujt + ipo) x^it). Hence, the transmitted ciphertext will be: s(x, t) = 

AcOs{iJt + (/9o) Xi(t) x^it). 

The key of the system is composed by the unknown values of the system 
internal parameters together with the, so called, external parameters u and 
(po, thus considerably enlarging the key space with respect to the simple chaotic 
encryption. 

The authors of [21] show that the attractor of the return map of the ciphertext 
is blurred by the modulation and, consequently, they claim that an intruder 
can not retrieve any information from it. They also show that the Fourier 
power spectrum of the ciphertext does not allow for the knowledge of the 
frequency uj of the sinusoidal factor. 

The authors seem to base the security system on the impossibility of perform- 
ing a return map attack and determining the sinusoidal modulating signal; 
but no general analysis of security is included. The weaknesses of this system 
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Fig. 1. Time story of the variables xi{t), X2{t), and X3(t) of of the Lorenz system, 
and a method to break it are discussed in the next section. 

2 Ciphertext absolute value attack 



In this section is presented an attack to the proposed improved security encryp- 
tion scheme based on taking the absolute value of the ciphertext. Our attack 
allows for the system breaking in two different ways. The first one consists of 
retrieving the plaintext directly from the ciphertext, when digital encryption 
is used. The second one consists of the identification and cancelation of the 
modulating signal cos{ut + ipo), allowing the plaintext recovery by the return 
map attack, thus circumventing the alleged system security improvement. 

The Lorenz attractor has a complicated shape, with trajectories spiralling 
around, and jumping between two loops, either in three dimensions or in any 
two-dimension projection. 

It is interesting to look at the time story and frequency power spectrum of each 
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Fig. 2. Power spectral density of the variables xi{t), X2{t) and X3{t) of the Lorenz 
system. 

component of the Lorenz system. As illustrated in Fig. 1, the variable xs{t) 
shows a quasi sinusoidal oscillation, always of positive value, whose amplitude 
changes in an irregular sawtooth like fashion; while the variables Xi{t) and 
X2{t) show a similar behavior but with sudden large amplitude jumps across 
the zero axis, corresponding to the attractor jumps between loops. 

The frequency power spectra of the Lorenz system variables are illustrated 
in Fig. 2. As observed, x^lt) has a relative clean and simple spectrum, with 
a narrow band at 13.7 rad/sec, that corresponds to the stable frequency of 
its oscillatory waveform. However, the variables Xi{t) and X2{t) have a much 
broader and complex spectra, with maximum amplitude near 3 rad/sec, due 
to the aperiodic jumps across the zero axis. 

Let us take the absolute value of the two first Lorenz system variables: yi{t) = 
kil'f)!? 1/2 (^) = ^2(^)1- When computing the time stories and frequency power 
spectra of yi(t) and 1/2 (t) the results illustrated in Fig. 3 are obtained. Both 
time stories resemble very much that of Xs{t), while their frequency power 
spectra are practically indistinguishable from that of 0:3 (t). That is, a new set 
of signals yi{t) and 1/2 (t) has been built, whose waveform and spectra are much 
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Fig. 3. Power spectral density and time story of |xi| and \x2\ of the Lorenz system. 

simpler than the ones of the original variables. In fact, when substituting xi{t) 
or X2(t) with 1/1 (t) or 1/2 (t) the double scroll is converted into a simple scroll 
with quite regular motion. 

It is assumed in the literature that chaotic modulation is an adequate means 
for secure transmission, because chaotic maps present some properties as sen- 
sitive dependence on parameters and initial conditions, ergodicity, mixing, 
and dense sinusoidal points. These properties make them similar to pseudo- 
random noise [22], which has been used traditionally as a masking signal for 
cryptographic purposes. 

A fundamental requirement of the pseudorandom noise used in cryptography 
is that its spectrum should be infinitely broad, flat, and of higher power density 
than the signal to be concealed within. In other words, any information power 
spectrum should be buried into the pseudorandom noise power spectrum. 

If any of the Lorenz system variables Xi{t) or X2{t) is used as a carrier signal 
for secure transmission, an attacker can take its absolute value to build a new 
signal with much simpler shape and spectrum. This new signal does not satisfy 
the above conditions. As a consequence, it may still preserve some plaintext 
information within, certainly alleviating the task of breaking the system. 
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Fig. 4. Full wave amplitude detector: (a)ciphertext signal; (b) plaintext; (c) low-pass 
filtered absolute value of the ciphertext signal; (d) recovered plaintext. 

2. 1 Direct plaintext recovery 



The main problem with this kind of cryptosystems lies on the fact that the 
ciphertext is an analog signal, whose waveform depends on the system param- 
eter values. When a parameter is switched between two different values by 
a digital plaintext [23], the system changes between two different attractors 
with different waveforms, amplitudes and frequencies. Therefore it is possible 
to extract some information by a suitable signal processing of the ciphertext. 



To illustrate the possibility of breaking the system, the chaotic transmitter of 
[21, §2 and fig. 4] has been simulated with the same parameter values of the 
example, that is: (A,cj,y9o) = (0.5,1.5,0.0), being the parameter h changed 
between its reference value 6o = 4.0 when the values O's are to be transmitted 
and hi = 4.4 when the values I's are to be transmitted. The parameter values 
have been arbitrarily chosen as: (o", r) = (16,45.6) and the system initial 
conditions as: (a:i(0),X2(0), 0:3(0)) = (—5.8,2,2.41). Our simulation was done 
with a four order Runge-Kutta integration algorithm in MATLAB 6 with a 
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Fig. 5. Power spectral density of the ciphertext signal: (a) spectrum of the trans- 
mitted signal ^cos(a;t + ipo) xi{t) 2:3 (t); (b) spectrum of the absolute value of the 
transmitted signal |^cos(Ljt + ipo) xi{t) X3(t)|. 

step size of 0.001. 

To break the system a so called full wave amplitude detector has been im- 
plemented, consisting of taking the absolute value of the ciphertext signal 
s(x, t) = Acos{ujt + ipo) Xi(t) Xs(t). Next, this signal is low-pass filtered and, 
finally, binary quantized. The low-pass filter employed is a six pole Butter- 
worth with a frequency cutoff of 1 rad/sec. The quantizer is a level comparator 
with switch point at level value 8 of the low-pass filtered absolute value of the 
ciphertext signal. 

The procedure is illustrated in Fig. 4. The result is a good estimation of the 
plaintext, with tiny inaccuracies consisting of small delays in the transitions, 
due to the time delay introduced by the filter. It should be emphasized that our 
analysis is a blind detection, made without the least knowledge of what kind 
of non-linear time- varying system was used for encryption, nor its parameters 
values and neither its keys. 



2.2 Modulating signal cancellation 



In the encryption method proposed in [21] the ciphertext signal s(x, t) = 
Acos^ut + ipo) Xi(t) Xsit) shows a crowded frequency power spectrum as is il- 
lustrated in Fig. 5(a). As the authors point out, it is impossible to identify in it 
any separated factor that can be exploited to attack the system. This is a con- 



sequence of the use of the Lorenz system and the modulating procedure. First, 
the spectrum of xi{t) x^it) is a comphcated one, due to the chaotic nature of 
the Lorenz system. Second, the multiphcation of this signal by Acos{ut + ipo) 
has the effect of generating a new spectrum composed by the superposition of 
two versions of the Xi{t) 0:3 (t) spectrum shifted ±cj radians per second. And 
third, the value chosen for uj falls in the neighborhood of the maximum of the 
spectrum of a;i(t) Xs{t), hence it is impossible to identify it from the frequency 
power spectrum. 

The aim of this encryption method is to foil the return map attack, by blurring 
the attractor of the return map. In Fig. 6 the attractor of the transmitted 
signal s(x, t) is plotted when digital encryption takes place in two different 
cases. In Fig. 6(a) without sinusoidal factor: 

s(x,t)=a;i(t)x3(t), (2) 

and in Fig. 6(b) when the sinusoidal factor is present: 

s(x, t) = Acos{ut + v^o) xi(t) x^it), (3) 

where {A,uj,ipQ) = (0.5, 1.5,0.0), being the system parameters for encryption 
[a, r, bo, bi) = (16, 45.6, 4.0, 4.4). It can be seen that when there is no sinusoidal 
modulation factor it is possible to use the return map attractors to retrieve 
the plaintext, because it is clearly distinguishable the splitting of the attractor 
segments originated by the plaintext presence. But when there is a sinusoidal 
modulating factor the attractors happen to by fully blurred, obstructing any 
straightforward analysis. 

To break such encryption scheme the following procedure is proposed, which 
will allow for the reconstruction of the return map attractor. 

First the frequency of the sinusoidal factor is identified from the ciphertext by 
computing the Discrete Fourier Transform of the ciphertext absolute value. 
Let u' be the approximate value of u and (f^ the approximate value of ipo- 
As is illustrated in Fig. 5(b) it can be seen that there is a very neat pick in 
the spectrum exactly at 2uj' = 3 rad/sec, which corresponds to the double of 
the sinusoidal factor frequency. This is due to the non linear nature of the 
absolute value function, which has the effect of folding the ciphertext upwards 
around the zero axis, effectively doubling the frequency of the sinusoidal fac- 
tor. The part of the spectrum corresponding to the Lorenz system factor, 
s(x, t) = Axi{t) x^lt), appears as a band of frequencies near 13.7 rad/sec. Fi- 
nally, there are two small amplitude side bands at 13.7±3 rad/sec, correspond- 
ing to the cross-modulation between the sinusoidal modulation factor and the 
Lorenz system factor. The spectrum was calculated using a 16384 point Dis- 
crete Fourier Transform with a 4-term Blackman-Harris window. 
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Fig. 6. Attractor of the return map of the ciphertext signah (a) clean attractor of 
an ideal signal with no sinusoidal factor 0.5a:i(t) a;3(t); (b) blurred attractor of the 
actual transmitted signal with sinusoidal factor 0.5cos(1.5t) a;i(t) X3(t). 
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Fig. 7. Zero crossing phase identification of ip'^ 



Once the sinusoidal factor frequency u' is estimated, it is a trivial task to 
determine its phase (^q just searching for the ciphertext zero crossing points 
at intervals equal to n/Au', as depicted in Fig. 7. 

Next, the approximate cancellation of the sinusoidal factor must be performed. 
Let x[ and x'2 be the approximate values of Xi and X2. Should the determi- 
nation of uj' and (/9q be exact it would be satisfactory to divide the ciphertext 
signal s(x,t) by the estimated sinusoidal factor cos{u't + ip^) to get rid of it, 

as: 

Acos{iJt + ipo)xi(t)x3{t) 



Ax[{t)x'^{t) 



(4) 



cos{uj't + (Pq) 

But, in practice, small inaccuracies in the determination of (/9q can lead to a 
division by cero, with infinite amplitude error. If the error e = ip'^ — ipo is 
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Fig. 8. Reconstruction of the attractor of the return map of the ciphertext signal 
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digitahy modulated, for various values of the error e 
radians; (b) e = 0.001 radians; (c) e = 0.01 radians; 

e > 0.001 radians it would be better to add some constant value t] around the 
zero level of the estimated sinusoidal factor, as follows: 



Ax[it)x',it) 



Acos{ujt + (po)xi{t)x3(t) 
sgn[cos(c<;'t + ip'o)] \ cos{uj't + ip'^) + ri\ 



(5) 



Finally, once the cancellation of the sinusoidal modulation has been per- 
formed, the return map attractor can by plotted. After simulating the recon- 
struction of the return map attractor of the example of 2.1, the results are 
presented in Fig. 8. It can be seen that the return map attractor is recon- 
structed with enough accuracy to enable the return map attack described in 
[19,20], thus deceiving the improved security claimed by the authors of [21]. 
In our simulation Eq. (4) was used to reconstruct the attractor with a ipQ 
determination error value of e = 0, 0005 radians; while for errors values of 
s = (0.001,0.01) radians, equivalent to 0.06 and 0.6 degree, Eq. (5) was used, 
with 77 values of 0.001 and 0.005, respectively. 



3 Conclusion 



The lack of security of the encryption method proposed in [21] is made evident, 
since it can be broken without knowing its parameter values and even without 
knowing the transmitter's precise structure. A new method that can retrieve 
the plaintext and determine part of the key directly from the ciphertext has 
been devised. As a result of our attack, the security of the proposed encryption 
scheme does not improve over the traditional chaotic encryption methods, 
being still vulnerable to the same attacks it intends to foil. 



10 



Acknowledgements 



This work was supported by Ministerio de Ciencia y Tecnologia of Spain, 
research grants TIC2001-0586 and SEG2004-02418. 



References 



[I] L. M. Pecora and T. L. Carroll. Synchronization in chaotic systems. Phys. Rev. 
Lett, 64:821-824, 1990. 

[2] L. M. Pecora and T. L. Carroll. Driving systems with chaotic signals. Phys. 
Rev. A, 44:2374-2383, 1991. 

[3] T. L. Carroll and L. M. Pecora. Synchronizing chaotic circuits. IEEE Trans. 
Circ. and Systems CAS, 38:453-456, 1991. 

[4] R. He and P. G. Vaidya. Analysis and synthesis of synchronous periodic and 
chaotic systems. Phys. Rev. A, 46:7387-7392, 1992. 

[5] S. Boccaletti, J. Kurths, G. Osipov, D. L. Valladares, and C. S. Zhou. The 
synchronization of chaotic systems. Phys. Rep.- Rev. Sec. Phys. Lett., 366(1- 
2):1-101, 2002. 

[6] H. Dedieu, M. P. Kennedy, and M. Hasler. Chaos shift keying: Modulation 
and demodulation of a chaotic carrier using self-synchronizing Chua's circuits. 
IEEE Trans. Circ. and Systems - II, 40(10) :634-642, 1993. 

[7] L. Kocarev and T. Kapitaniak. On an equivalence of chaotic attractors. J. 
Phys. A, 28(9):L249-L254, 1995. 

[8] C. K. Tse and F. C. M. Lau, editors. Chaos-Based Digital Communication 
Systems: Operating Principles, Analysis Methods, and Performance Evaluation. 
Springer Verlag, Berlin, New York, 2003. 

[9] K. M. Cuomo and A. V. Oppenheim. Chaotic signals and systems for 
communications. In Proc. IEEE ICASSP III, pages 137-140, 1993. 

[10] K. M. Cuomo and A. V. Oppenheim. Circuit implementation of synchronized 
chaos with applications to communications. Phys. Rev. Lett., 71(l):65-68, 1993. 

[II] C. W. Wu and L. O. Chua. A simple way to synchronize chaotic systems with 
applications to secure communication systems. Int. J. of Bifurcation and Chaos, 
3(6):1619-1627, 1993. 

[12] R. Lozi and L. O. Chua. Secure communications via chaotic synchronization. 
II. noise reduction by cascading two identical receivers. Int. J. of Bifurcation 
and Chaos, 3(5):1319-1325, 1993. 



11 



[13] T. Yang. A survey of chaotic secure communication systems. Int. J. Comp. 
Cognition, 2:81-130, 2004. 

[14] K. M. Short. Steps toward unmasking secure communications. Int. J. of 
Bifurcation and Chaos, 4(4):959-977, 1994. 

[15] Ch.-S. Zhou and T. 1. Chen. Extracting information masked by chaos and 
contaminated with noise: Some considerations on the security of communication 
approaches using chaos. Phys. Lett. A, 234:429-435, 1997. 

[16] G. Alvarez, F. Montoya, M. Romera, and G. Pastor. Cryptanalysis of a chaotic 
secure communication system. Physics Letters A, 306:200-205, 2003. 

[17] G. Alvarez, F. Montoya, M. Romera, and G. Pastor. Cryptanalysis of a discrete 
chaotic cryptosystem using external key. Physics Letters A, 319:334-339, 2003. 

[18] G. Alvarez, F. Montoya, M. Romera, and G. Pastor. Breaking parameter 
modulated chaotic secure communication system. Chaos, Solitons & Fractals, 
156, 2004. 

[19] G. Perez and H. A. Cerdeira. Extracting messages masked by chaos. Phys. Rev. 
Lett, 74(11):1970-1973, 1995. 

[20] T. Yang, L. B. Yang, and C. M. Yang. Cryptanalyzing chaotic secure 
communications using return maps. Phys. Lett. A, 245(6):495-510, 1998. 

[21] S. Bu and B.-H. Wang. Improving the security of chaotic encryption by using 
a simple modulating method. Chaos Solitons and Fractals, 19:919-924, 2004. 

[22] R. L. Devaney. A first course in chaotic dynamical systems. Addison- Wesley, 
Reading, MA„ 1992. 

[23] U. Parlitz, L. O. Chua, Lj. Kocarev, K. S. Halle, and A. Shang. Transmission 
of digital signals by chaotic synchronization. Int. J. of Bifurcation and Chaos, 
2:973-977, 1992. 



12 



